A command injection vulnerability was found in the web administrationconsole. In particular, snserv script did not sanitize some inputparameters before executing a system command.

4. *Vulnerable Packages*

. SoftNAS Cloud versions prior to 4.0.3Other products and versions might be affected, but they were not tested.

5. *Vendor Information, Solutions and Workarounds*

SoftNAS released SoftNAS Cloud 4.0.3 that addresses the reportedvulnerability. The software update can be performed via theStorageCenter admin UI in the product.For more information on the updating process see:https://www.softnas.com/docs/softnas/v3/html/updating_to_the_latest_version.html.

In addition, SoftNAS published the following release note:https://docs.softnas.com/display/SD/Release+Notes

6. *Credits*

The vulnerability was discovered and researched by Fernando Diaz andFernando Catoira from Core Security Consulting Services. The publicationof this advisory was coordinated by Leandro Cuozzo from Core AdvisoriesTeam.

7. *Technical Description / Proof of Concept Code*

7.1. *Check and execute update functionality abuse leading to commandexecution*[CVE-2018-14417]The 'recentVersion' parameter from the snserv endpoint is vulnerable toOS Command Injection when check and execute update operations areperformed.This endpoint has no authentication/session verification. Therefore, itis possible for an unauthenticated attacker to execute malicious code inthe target server. As the WebServer runs a Sudoer user (apache), themalicious code can be executed with root permissions.

The following part of the /etc/sudoers file shows the apache usercapabilities.

As can be seen in the former request the payload had to be base64encoded as some special characters were not being properly decoded.

8. *Report Timeline*2018-05-29: Core Security sent an initial notification to SoftNAS,including a draft advisory.2018-05-31: SoftNAS confirmed the reported vulnerability and informedthey were working on a plan to fix the issue.2018-05-31: Core Security thanked the SoftNAS' reply.2018-06-15: Core Security requested a status update.2018-06-26: SoftNAS answered saying the fixed version was scheduled forlate July.2018-06-26: Core Security thanked the update.2018-07-16: Core Security asked for a status update and requested asolidified release date.2018-07-16: SoftNAS informed that the new release version were under QAverification and they would have the release date during the week.2018-07-19: SoftNAS notified Core Security that SoftNAS Cloud 4.0.3version was already available.2018-07-19: Core Security thanked SoftNAS's update and set July 26th asthe publication date.2018-07-26: Advisory CORE-2018-0009 published.

9. *References*

[1] https://www.softnas.com

10. *About CoreLabs*

CoreLabs, the research center of Core Security, is charged withanticipating the future needs and requirements for information securitytechnologies. We conduct our research in several important areas ofcomputer security including system vulnerabilities, cyber attackplanning and simulation, source code auditing, and cryptography. Ourresults include problem formalization, identification ofvulnerabilities, novel solutions and prototypes for new technologies.CoreLabs regularly publishes security advisories, technical papers,project information and shared software tools for public use at:http://corelabs.coresecurity.com.

Apache OpenWhisk is prone to a remote code-execution vulnerability.An attacker may exploit this issue to inject and execute arbitrary code within the context of the affected application; this may aid in further attacks.Versions prior to Apache OpenWhisk 1.3.1 are vulnerable.